Creating a Visibility Architecture

Traditional network security solutions have been built from disparate point technologies that create gaps in traditional defenses that sophisticated attackers exploit. With an integrated approach, organizations gain the full contextual awareness and dynamic controls necessary to automatically assess all threats, correlate intelligence, and optimize defenses to protect modern enterprise networks. An integrated threat defense also considers both network and endpoint perspective across the extended enterprise. Contrast this with point solutions that lack the visibility needed to spot multi-vector threats and to see what users, applications, content and devices are on the network and what each are doing.

In today’s dynamic network environment, point solutions lack the visibility and control required to implement effective security policy to accelerate threat detection and response. In addition, disparate solutions add to capital and operating costs and administrative complexity. They also result in higher implementation costs to integrate with the existing IT environment, work stream, and network fabric. By integrating defense layers, organizations can enhance visibility, enable dynamic controls, and provide advanced threat protection that address the entire attack continuum – before, during, and after an attack

Robb: Here's what my thinking is. Here's the marketing slide. I jacked it up a little bit, just to kind of play with the red text. But in general, what we're saying with this release is we've got ASA, which has got quite the heritage, right?

This is a full network firewall that we've had for years, now we're going to integrate technologies from Sourcefire, firepower services, but specifically it says it's an adaptive, threat focused, and here's another acronym for us, NGFW.

Jimmy Ray: I get tired of the word NGFW because it tends to lend itself now to more of a marketing term. Anytime you hear that type of stuff it's like, "What makes it next generation?" If you look at Star Trek, what makes Star Trek Next Generation is they got android on the bridge. It's like, "So there's some differences there." More than just marketing.

Robb: How do you know when you're done? Because if it's next generation now, then how do you describe the next iteration? Is it not also a next generation?

Jimmy Ray: I guess there is marketing people that probably get a lot of money for [laughs] answering that question, because I have no idea. Because what it really means is, realistically, next generation does actually have a design turn.

Anybody doing an NG type of product...I mean IPV6 was IPNG for a very long time before it became V6. Next generation is really implying that you are going beyond layer four on the ISO model, or the OSI model. You going beyond layer four and saying, "I'm going beyond sockets, and I'm going to start climbing the ladder and look at checksums, and look at some of my layer seven, layer six detail." That's really the next generation of stuff. A lot more processing.

Robb: At a high level though, next generation firewall is something that's going to start encompassing, like we do with the routers, you've got multiple functions that were normally consider disparate, or part of other appliances, or software functions. But specifically, don't we say next generation firewall includes at least the VPN functionality, as well as application control? I'm trying to remember what the subdivisions are.

Jimmy Ray: Some people say that.

Robb: Or is it a hard and fast rule?

Jimmy Ray: There isn't a hard and fast rule. There's not like, "To be an NG, you have to have the following features and stuff." A lot of vendors will add their value added features like VPNs. It makes a lot of sense to have a VPN concentrator built into the firewall now, because that's an exit point to your network. It just makes a lot of sense.

It makes a lot of sense to have an IPS reader or feeder in there because, once again, it's where all your traffic is residing. It's that one demarcation point where everything is going up through.

Robb: It's a logical place. There's decryption that occurs when that traffic stops, so you're going to have to inspect it there as you hand it off. As we talk about this stuff, one new term here that we've got, and we talked about this in the Sourcefire show, advanced malware protection is actually a very, very critical Sourcefire term that we've gotten, because this really is about ASA plus Sourcefire.

We're going to talk in just a minute about what's important to understand from the attack continuum, but I'm curious, because I wanted to have you go through this. This is another slide that I had seen internally that kind of described from a functionality perspective the things that you're now getting with the ASA, and this combination of firepower services.

But each one of these has a history that is really about best of...Well, I hate to use that term, but really something another set of technologies is known for being good at, whether it came from the ASA lineage, or the Sourcefire lineage. Clustering and high availability, where would you assign that one?

Jimmy Ray: That is definitely an ASA thing, and you know what? It's OK to say that we're the best at that, because we absolutely are.

Robb: They would freely admit that. That's not a...

Jimmy Ray: That is a fantastic feature. If you don't like the ASA, I get that, you cannot deny that the clustering and the high availability is absolutely, positively, second to none.

Robb: Because they've done a firewall before, but they would admit that they did not have the networking background to be able to do the things that we could do, and so clustering and high availability, that was one of the biggest things I think that was first mentioned in our research internally, and the Sourcefire folks talk about that.

Jimmy Ray: We had a product there that we're pushing. We even did the fundamentals on it. Remember the IPS of...the findings of IPS. Were pretty good. It was all right. I don't want to smash talk it, but then when you compare it to something like the [inaudible 04:54] stuff, it's like, "No, it's not even close." It's amazing.

Robb: We'll give this one over to Sourcefire for that one?

Jimmy Ray: Yeah, I would give it over to Sourcefire. We've got the hooks built in, that's the key.

Jimmy Ray: Yeah, obviously B is pretty good, because we actually have that built into routers and switches. AVC's a fantastic feature and stuff, and it gives you a great amount of detail, and then we go up to get even more telemetry once we start doing the firepower stuff. That's the real meat of that.

Robb: This big one here, I'm just going to go ahead and circle it because, really, obviously, FireSIGHT, this comes from...this analytics and automation is really something that I'm excited about being able to talk about this entire show.

We're going to illustrate what this is all about, and this is something that comes from the Sourcefire side beyond even what we would say is something that's only happening in the firewall. It's about the role that it plays with a lot of other things, so we'll spend more time on that one. It's a Sourcefire thing, but it's what the whole show is about.

Advanced malware protection,we know it'll give that one to Sourcefire. Built in network profiling, Sourcefire as well.

Jimmy Ray: Yeah. Ironically enough, yeah.

Robb: What about URL filtering? We've been in and out of that market in many different ways.

Jimmy Ray: It's interesting because we've had a few products that did this, and did this pretty well, but once again, man, Sourcefire, they've got a great freaking product there, so they win.

Robb: It's all about that analysis. It's that visibility that's really playing into it.

Jimmy Ray: If I was competing against them, I'd have a hard time.

Robb: I think this one, identity policy control and VPN.

Jimmy Ray: I'd give that a little more over to the Cisco side of the house obviously because when it comes to VPN, I think Cisco has like a gajillion flavors of VPN on the network, plus you've got ISE, and ISE is a great product, one that ties in to just about everything in security anyway.

Robb: That's an important distinction that we're talking about today, is the notion of if you were to contrast being threat‑focused in terms of how we're focused, in terms of what's important today, versus something that ISE would represent, that we do a very good job with because it's about the whole network taking play, but being able to define a policy and then apply everywhere as needed, because that's not a simple thing to do, but yeah, we give that back on the Cisco side.

I want to ask you, before we run out of time here, there's some lineage from the Sourcefire side in the open source community. How important is that?

Jimmy Ray: I think it's critically important. You're looking at one of the most popular and most used IPS/IDS systems out there. Snort is a way you get things done. When you're starting to learn security, one of the first things that you learn after step one, here's how a man‑in‑the‑middle attack works, step two, here's how you detect it, and write your own Snort signature, and you understand that language and how to do that stuff, so we all grew up with this stuff.

Robb: I was going to say, how many engineers, because of the fact it was open source, really cut their teeth in learning how to write a signature...because that's a scary thing when you looked at it and it just begged for more automation and more GUI, but this is also the source of a lot of the challenges that we have today, right?

Jimmy Ray: A lot of books, a lot of materials out there have done this. The one thing I like to say about especially when it comes to Snort is take a look at any vendors' switch or router out there today, and what interface are they emulating? It's IOS.

It's the one that most people know. Snort is emulated and used the most because it's the one that most people know. It has the humongous user community. The Snort rule set is used in all kinds of stuff. If you know how to do Snort rules, well, you understand how to do Nessus rules too. It really transcribes to just everything out there.

The background, the meat and taters of that, is right there for sure.

Robb: You need people, you need to go where you've got a wealth of people to draw upon that have the intelligence that you need. I would also argue, and I think they would admit this as well, that it was a precursor to the problem that we're also fighting today, which is the amount of noise that these type of devices can generate, and Cisco's had its fair share of devices doing that as well.

We have to talk about how to get beyond that, but hats off because a lot of intelligence and a lot of market momentum has been developed by Marty and the guys that developed this stuff.

Jimmy Ray: Yeah. There's no doubt about that, man. They really are.

Robb: What we're going to focus on, if I can get the slide to go over here, is we talk about...at its heart we're talking about ASA plus Sourcefire and what does that really bring you. We've talked about ASA a lot on this show. We're not going to spend a whole lot more time on that. Why do that? What we're really going to dive into in just a moment is what we boil down as five concepts and capabilities...

Jimmy Ray: I keep moving the monitor here behind you

[crosstalk]

Robb: Is that what you're doing?

Jimmy Ray: People getting all seasick, I apologize.

Robb: Ignore him. Focus on me.

Jimmy Ray: [laughs]

Robb: We're going to talk more about what does Sourcefire bring into the equation because there is a lot new stuff to get our heads wrapped around that is extremely beneficial, but first I think it's most important to understand why we need this level of focus. Why do we need new answers for these continually evolving new threats?

We're going to take a little special lab time with Jimmy Ray as he breaks down one of the most high profile attacks on a high profile retail network that was fully certified, they knew how to do their security, yet somehow they were still compromised. That is important to understand why that happened and that's next.

SEGMENT 2: VIRUS DISSASEMBLY

Jimmy Ray: A couple years ago I talked about a virus that actually was transmitted through PDFs, and to show how it worked, and we did a disassembly of it, and it was pretty darn interesting how that worked, and there is no better place to look at how fast IT knowledge is advancing than disassembling malware, so we're going to go ahead and take apart Kaptoxa, one of the most amazing viruses I've seen in a while, that actually took down a point of sale system, so let's take a look at that.

Kaptoxa is actually spelled like this. It looks like "Kaptoxa" or something like that, but you actually pronounce it "car‑toe‑sha," like in "sha‑na‑na" for "sha" and stuff, so one of the things...and what it actually means is it's slang for taters, and who doesn't like taters? Especially with cheese and "nom, nom, nom," right?

Besides that point, as you look at...let me go advance my slide. Here we go. If you look at what it does, it targets the POS, or the point of sale system, right where you actually swipe that credit card, and what it's looking for, or why it does that, is that basically if you take your machine here, when you swipe that credit card, that information is all coming in clear text, so what we're trying to do is a traditional man‑in‑the‑middle attack.

Remember, it's much like Security 101. When you first start learning how to hack machine, one thing you'll do, you'll do a ARP spoof, and get in the middle of it, and watch conversations and stuff. Really what we're trying to do is get in the middle of this transaction to watch it because what happens is as you swipe that data, it gets wrote into RAM, and it's wrote in clear text.

If we have a piece of malware that can look at what's going on here in memory, and scrape that out, and then just drop it in, then you're actually bypassing one of the PCI regulations that really basically say that anything that comes swiped in, you have to bring it in and you have to encrypt it end‑to‑end so that you cannot actually transmit that data into even a clearer form.

When you're moving that, the only place that this can be decrypted is actually here in RAM, so hackers said, "Huh, how can I actually fix that and scrape it?" They're working on programs for while like Dexter, and Stardust, and stuff like that to figure out how to make this stuff work, and boy did they hit a winner when it came to Kaptoxa, because what the overall rule is here is when you're looking at what your credit cards do, any credit card out there basically has two tracks.

Track one is where your name and your account number, that type of information stuff, is stored, and then track two is where your credit card number, your expiration date, and your CV is at. Now if you can get both of these tracks, then you can basically duplicate that credit card, make them all you want, but how do you do it? That's a trick.

What hackers that actually did this, they're brilliant. What they said was, "Hey look, this is [inaudible 12:58] decode of the process." What they need to do is install this and actually have it look like a service. That's one of the things we want to do with any virus. We don't want to make it look like a virus. It's got to be very incognito. It's got to work as it's supposed to so it looks very hidden.

Here, what you see is that we have this actually install and look just like a service on the machine, autostart so when the machine's reboot, it'll actually fire back up again and actually make it interactive, so it runs in its own service, so check this out.

We also gave it a name here. POSWDS is actually...when you look at the virus name, that's actually the header of it, POSWDS, and it works pretty good. It's actually a variant of a virus called BlackPOS, but this one is very specific. It works very cool.

When you look at a compromised machine, it just looks like this. That looks like a normal service. POSWDS, when you look at this, this does not look like..."how can that be harmful?" It looks like it's pretty darn innocent out there.

That's not the end of it, because what they did was they said, "Hey, we need to make sure that people can't find this thing out there. We need to make sure that it stays hidden," and when you're disassembling one of these viruses, one of the most important things, just like a medical virus, we want to find out what is Patient Zero. What's the point of origin for that virus? Here so we could understand what the thought is, maybe figure out who the cyber criminals may be.

Here, when you look at it, one of the things that were set was code 1251, which basically puts it in Cyrillic, so the thought at the time was, "This is in Cyrillic. It's in code 1251. This must be from Russia. It must be a Russian type of gang doing this type of stuff," that type of thing.

A they're breaking this down, they're like, "Well, knowing that it's Russian, there's a certain pattern that they're going to follow," and they're going to try...investigators are going to look and try to find those patterns out there, but folks who did this were pretty smart.

What they said was that, "Here's the thing. Any major store that runs these point of sale systems are probably going to have not one anti‑virus detection, but probably a whole bunch, and not one firewall, but probably a whole bunch, so how do we make this look like it's a regular conversation?"

If I'm going to sneak up and spy on what somebody's going to be saying at me, I'm not going to come stomping in with my boots on and say, "I'm just trying to listen, to eavesdrop what you're saying." You're just going to try to saunter up, and try to just be real quiet, and hear that, and only come when the people are talking. That's what this virus did.

Check this out. This is the smart part about it, because what they did is that the virus made a call to the local time, and it found out, and it said, "Well, what time is it? If it's between 10:00 and 5:00, then scrape, transmit a little bit of that data, grab that stuff out of here. If, however, it's later than or earlier than 10:00," you see these type of statements here, "then wait for seven hours and then, " see this call right here, location 40, "run that subroutine again. Jump back to this subroutine and then try it again."

Get local time, see where you're at, that type of stuff, and run it through. Just keep doing this between during these hours. Why between 10:00 and 5:00? That's store hours, and if you're getting local time here, you don't have that nasty little time zone problem.

You can always check what the local time is and figure out where, if you're trying to grab transaction on the East Coast or the West Coast of the United States, that you're always within these parameters, so it operates just like the business does, right within normal business hours.

When it grabs that information and goes to transmit it, this is a pretty complex attack because what it is, really, it's a two‑stage attack. We're using not one piece of malware to run this thing. We're using two, so to launch this attack, you've got to be pretty darn smart. You have to get a memory scraper onto the point of sale system, and then you've got to have a back door, or an exfil, to actually grab that data and transmit it out.

What they did was they found a compromised host. Now I blanked out some of this stuff so you can't see it, to protect the innocent and stuff, but they did a net bio share here and they set it up to 10 dot whatever, whatever, whatever, and the user username, and then they would just transfer these decoded strings to that compromised internal host.

It acted as a storage container, as just a garage. They would transmit all this data there. They'd scrape it off the POS machine because, again, you're getting a bunch of these transactions coming like crazy. You scrape them, dump them out, dump them out, dump them out. Transmit them across the network, they just look like normal data, so that's a big piece of this.

The next piece is, let me go ahead and slide over here a little bit more, is that after we transmit all that data, we've got it from...now again, because it's a two‑stage attack, we've got it from the point of sale system to the exfil box that's on the inside.

Now I've got to actually transmit and get that stuff off my network, and how am I going to do that? Same process. Why change the logic here? We're still going to be quiet. No transfers until we're right within the operating window here to set this up. Still, once again, very smart stuff.

You don't expect that data to not be there. If you see this as you're a normal system admin, it's just like normal credit card data. What's the big deal? It would fit every single profile on the network out there period. It looks like processing data. Smart, smart, smart stuff.

Now the exfil service that would use the backend server that was set up was actually a service that they called BladeLogic. BladeLogic is the name of this, so if you're looking at your services...and go through it .If you've got a Windows machine, go through the control panel, through services and stuff, and look at all the services on there. Man, it's hard to keep up with all that mess.

If you had one in here called BladeLogic, especially on a server, it's probably some vendor's SNMP type of management program and stuff out there, it's got bugs and everything else in it, so this looks normal. Really smart stuff.

Let me show you how this actually worked from end to end. You take your credit card transactions, and they're swiped, and they're scraped. The POS virus is actually scraping all those off and reporting these to my internal server, the one that I actually call 10.x.x.x. Now the key is now when I actually transmit this back up to my exfil server.

This is my server that's actually going to transmit all that data up and FTP it, allow an FTP connection to come right out of my network, right up to the Internet, and then off to the cloud over here, which is going to what we call a VPS, a virtual private server.

A virtual private server is a device on the network that you can buy, rent from an Internet service provider, that is just a virtual server, and you can set it up, put anything you want on it, tear it down, leave, split. It's anonymous. It's pretty darn cool.

This data would transfer just in this manner here. Stage one is right here, stage two is right there, and that data's gone. For this virus in particular, in two weeks' time that this lived on the network before it was caught, it actually captured 11 gigabits of data, 11 gigabits of data in two weeks of just credit card processing.

Consider if you open up a text file right now and you type in probably about the characters...typed in 200 characters on the next file, and then just saved that file. Look how small that file is.

Now consider how much information 11 gigabits of data is out there, and you rewind this whole presentation, and you look at, hey, earlier, two years ago, we were talking about something like the Adobe program, that actually went in, and did its little malware delivery system, and stuff. You're looking at something a whole lot more complex, two‑stage like this.

The most important thing to understand about this is when you're picking a security solution out there, these hackers are good. They are very, very good, and they're just going to get better. If this is like, "Holy smokes, this is amazing," yeah, OK. This is old data. What is this, the 13th? This is old stuff, so there's a lot of stuff better out there.

When you buy a firewall, when you buy intrusion‑prevention system out there, please understand nothing ever works by itself. You've got to tune it. You've got to work on it. Make every vendor earn your money, man, because it's very critical that this is what you're facing, and they're pretty darn sharp, so tune your system and make sure you've got somebody out there that manages the thing from start to finish.

Segment 3 - KEY CAPABILITIES

Robb: All right, so I enjoyed the disassembly. What I wanted to come back to was this notion of understanding then the concepts. How do we begin to address what the true root of the problem is? I'm curious from your perspective, because I've heard different answers to this question but I'm sensing a trend, how many security devices does any one given average company, would you say, what's the range of security devices someone would have on the network?

Jimmy Ray: "Security" is such a broad term that it could be anywhere from 10 to 1,000. When you start actually looking at...well, look. You consider the traditionals, anti‑virus stuff of course, duh, but then you also...for patch management, what are you going to do? That's security. What about firewalls, intrusion‑protection stuff, firewalls on clients, host‑prevention type systems, if you will, any type of management software, access control list on your devices, any of your telemetry monitoring stuff?

It gets pretty deep because security's embedded across everything. The more important question on something like that is, "What don't we have security on?"

Robb: Well, I'm glad you asked that...

Jimmy Ray: That's the piece.

Robb: ...because here's where I think, how well do you think most people, even security people...it seems like there's a lack of knowledge or a true understanding as to this type of device at this location where it operates, and where it is on the OSI layers, and what it can see.

It's there to perform a certain function, and by virtue of that, it doesn't do other things, so that's why you end up with multiple devices that some people have thrown at problems because, I'm assuming it's a smaller number, but out of...let's say you've got 50 different devices on your network that are doing some aspect of security. How many different vendors are a part of that equation?

Jimmy Ray: Oh, there's no telling...

Robb: It could be as many as 50. [laughs]

Jimmy Ray: Of course. Endless because it's true best of breed, and that's the nice thing about having one vendor, that it does give you...it should give you some consistency across the platform. That's not always the case, but it should, but then it also means that, well, are you handcuffed to what they're doing? Sometimes the best in breed of doing everything else is a piece.

It really depends. There is no cookie‑cutter answer. What works best for you?

Robb: This is where I think the problem comes in, is one, there's a lack of knowledge of exactly what something does and what it doesn't do so we could understand how do we answer that question that you brought up, which is knowing are we comprehensive for the problems that we're trying to solve.

Then you step back even further and you go are you even aware of the type of threats that are relevant to your environment?

Because that implies a certain awareness of the network that most people don't have, even not from a security perspective, just from a simple network design perspective, because if you ever get assigned that task, it's so loveless because you know that as soon as you even begin approaching to finish it, things have changed that you started on earlier, and you're like, "This is just a mess."

It begs for automation, and I think it gets back to the problem which is, and we hinted at this in the Snort section, talking about the lineage of Sourcefire and such, but any of these devices, including little networking devices, all produce a lot of extremely valuable information that we attempt to make security decisions based on.

We may even throw some other security products at that, such as an SIEM or an incident event manager, to say, "I'm going to consolidate all this information and then produce it to get a full report for my boss each day that says, 'Here's all the top things that we saw in the last 24 hours.'" That person's not going to be able to do anything more with it than you're going to be able to do with it.

We have this cyclical problem of how do we operationalize security, which I think still boils back down to, and we've talked about this before, but it's this notion of do we have the ability to build a visibility architecture?

Do we have the ability to say, "You know what? There's great information across the entire network from these devices, maybe one security device, but certainly across more of them because each of them gives their own unique view, but how do we begin tapping into that in an efficient manner to arrive at something where the system is telling us, 'This is what's most important for us?'"

This is where I think we begin to understand, when we're focusing on threats as opposed to just simply a policy‑centric view, because that's a good way to look at it as well but it ignores a lot of things about threats, and we begin to understand one way...can you move your arm? That doesn't help me at all.

This notion of how do we begin mapping them in, and just to do this real quickly to set it up, we've got three phases that I hear these guys talking about a lot, which is "before," "during," and "after."

Through each one of these things, we have the ability to say, "You know what? I've got certain security solutions that focus on the ability to identify and attack at the edge of the network, to hopefully stop it if it's a firewall in a traditional firewall perspective. It's doing protocol lookups. Is this constructed correctly for this particular flow, and then yes or no? Do I deny the flow? Do I allow it to go in?

Then as you get further, and you can think of this even as something happening over a point in time, is that you begin to have to acknowledge that everyone is going to get broken into because this is a very brittle line here that breaks very easily.

Jimmy Ray: Isn't that what the security report said? We just released that midyear security report thing and it actually said that at 100 percent of the traffic, the networks they analyzed, 100 percent was reporting some botnet traffic.

Robb: Doesn't that strike you as a little bit cocky to say...

Jimmy Ray: A pretty friggin cocky statement.

Robb: 100 percent?

Jimmy Ray: Pretty darn cocky statement. I would be very cautious of ever using that kind of term.

Robb: But look at the point behind it though.

Jimmy Ray: They didn't back it up, man.

Robb: But the point behind it is not to get overly focused, I think, on the detail, but it's to go, "We need to assume that we are going to be successfully attacked," and then the question becomes, "Are you aware of it?"

Jimmy Ray: That's the point right there.

Robb: That's because you assume that you're going to get past this point before, and you need technologies that operate in this "during" phase, something that helps you with the analysis, and people have started to spend more money.

They say 60 percent of your security money has traditionally been going to your "before" technology, so that's your firewall, your VPNs, maybe your patch management, things like this, but then the "during" phase, which begins to get into telemetry, IPS, things that begin to give you more information to identify what's happening so that you can accurately respond while it's still happening, get on top of it quicker, but people are getting overwhelmed with data at this phase as well.

Robb: Then what happens is how many people don't even know that they'd been attacked, and it was at some point in time much earlier? Now it's not minutes and hours. We're talking about days, months, years where someone has set up camp in your network. What technologies do play in that after phase? Because this is the lowest form of spending. In what we're seeing, people don't look at this enough.

Jimmy Ray: Yeah, logging, telemetry, any type of stuff that does deep analysis of the telemetry, the information your devices are already telling them. Anything that will look and mine that information is very critical in the "after" phase. You're looking at true forensic analysis to look at what your "after" stuff is. That's a big‑time deal.

Robb: Here's a thing that blew my mind about what we're doing now with Sourcefire, is the fact that they're saying that what we have...and this goes beyond just beyond the ASA plus Sourcefire conversation, to be fair.

Although it's a great place to start because a lot of this technology's in here, what we're saying is we can improve the amount of information to other places in the network when we get it, but all this information is potentially fed up now with the service into kind of a cloud, kind of a cloud.

The idea of being is that not only can we now normalize, and associate data, and correlate that more effectively in and of ourselves, but we can go a step further and say, "Other networks, in an anonymous fashion, have seen certain things that I might want to be aware of beforehand," and they are...

If I understand this correctly, and I want you to go ahead and switch over to the demo because I am curious, how are they able to save information, and operate on it, and not just overwhelm us with information?

Because they're not only saving what has been alerted, saying, "Yes, this is a threat," but we're also keeping information that's saying, "This is not a threat yet, but it might be later," and we want the ability to know where that file is, where that device is, so that we could go back and reassign a threat level to it.

Jimmy Ray: Well, one of the things is when you're looking at it, it's simplicity of the interface, right? What is my normal traffic, which you're seeing in blue line here, versus what are my intrusion events? What do I need to look at? How can I hover over and find out what is going on at this certain time? How many things…[crosstalk]

Robb: That is your timeline.

Jimmy Ray: Yeah.

Robb: Then you said your baseline and your abnormalities.

Jimmy Ray: Yeah, what's your continuum? What are my indications of compromise? How many detects threats have I taken so far? Very nice radar plot. I can actually put my mouse in the middle, I can see how much I've detected, and as I move further away from the plot, I'm actually able to get a lot more detail.

Do you see this, how many threats? Come out here. This is how many indications of impact two, and this is how many hosts I've had at that impact two, and scrolling on down, that being the case, how many are based upon operating system? Look at this. You're going down into Linux, what version of Windows, whatever the case may be.

Robb: Key on that, because that's something you said extremely valuable that I'm seeing as you go over...you're seeing levels of OS, so you're seeing a patch level of detail. I saw some user information here as well.

Really what we're saying, when we say, "indications of compromise," here is we're saying, "This isn't just an alert because it's a legitimate threat. It's a legitimate threat for this particular network, which means that it's a threat and a target that's viable for that threat," because it's that combination of things that I think were historically missing in most security solutions, right?

Jimmy Ray: Yeah. A lot of times we'll take a global temperature report. What we want to know is what's locally relevant to us.

Jimmy Ray: Exactly. But now if I can actually break this down and look at what level my traffic is for my users, where it's going, what my ingress is, what is my allow connections versus how many have been hit? How many have been blocked? Without going back through and grepping out logs, I can look here on my little pie chart. It's like, "OK. I've blocked 2,000, three percent. Three percent of my connections here. I've got 64,000 connections. I've blocked 2,000."

It's pretty amazing...inactive blocks with resets. You can scroll down and you can get this stuff. How are you correlating all that data really quickly? By just darn good visuals. And you are really getting down the further you go‑application by protocols, by clicking over here and saying, "That's my application. What about my clients? What is that going to be looking like?" I click down over here and I can say, "Who is running what?" and what it is that they're being affected by.

You know, ArcServe, Pinterest. What are people doing? What type of client traffic? What type of risk do my applications have? What is my traffic risk in application? Scrolling down, more, more, more. I can actually even set this out and say, "What is the business relevance that I apply?" And my business relevance is seasonal...

Robb: Because it could be very unique...

Jimmy Ray: At Christmas time, at Diwali, this is really important to me. Other times of the year maybe it's not. It's that really nice granularity. You get right on this front analysis page a true honest to goodness analysis that really does make a big difference.

And that's another piece of this, Rob. I don't want to run out of time, but dadgum, man. Look how easy it is to use this thing!

Robb: You are not overwhelmed with menus and stuff either.

Jimmy Ray: Yeah. You are not being hit with a lot of stuff. There's not like 10 different...A lot of these can fit in other categories, but you plug the straight in here and stuff. We even talked about file trajectory. Let's take a look at where viruses are going, where they're being hit at.

One of the things I want to know is if I'm being infected in my network, who else has it? Where else would that go? OK. Well, let's find out. We can see that I've got hit here. Here's my recent malware, go and click that booger up.

So what you are looking at here, Rob, is that when you are looking at these file trajectories, I'm actually taking a look at where this file is going to. I can click on this malware and I can see what my trajectory is. Who got it? Who has it been received from? What was the name of the file? What is it? It's malware. Where did it go to? What applications? What protocols did it actually use and tie in?

That's the kind of telemetry I need in the after and even in the during so I can take action immediately and quarantine that group of clients or that one client pretty darn quick to stop that outbreak on the network.

Robb: This really starts to define how you are going to handle your remediation, because you've got a level of visibility down to a level of detail and what I gotta say, honestly, is a much more approachable manner. This feels like this is the opposite of that blizzard of misinformation I think that many of us would operate in.

Now to be fair, what are the devices...this is information we are getting in this mapping more. This is Defense Centers. It was called before I believe FireSIGHT Management Center. We start talking in this conversation about first understanding that this is ASA+ Source Fire, which is a way to get a lot of this information.

But for many people that is a single point on a given network. This is information coming in from amp connectors. So more the better when it comes to this kind of data analysis in terms of being able to make better decisions. I don't think there's an outer limit on the amount of data we can feed into this. But just to be fair, this isn't all coming just from your firewall combination, correct?

Jimmy Ray: No. actually, there's really no way I can give you that kind of level of detail...

Robb: It makes no sense at that level.

Jimmy Ray: I've got to be able to have some kind of two‑way relationship with my client to send me info. And we grab that info.

A couple of really important things. I know you gotta wrap. But give me just a couple seconds here. A couple real important things to understand about any type of solution that does this time of thing. In my opinion, I'm only as strong as my analysis unit behind it. How many other malware pieces is this thing concluding to it?

If I'm taking this malware and I'm sending it up to be analyzed, and I'm sending the virus up to be analyzed? Or am I sending a piece of it and then a Checksum is going to integrate it, right? I don't want to be a virus propagator, so to be intercepted and be used somewhere else and stuff. Let me just send a fraction of it and then tell the people. And that's what this does. That's one of my favorite features on here. It's hidden. You don't even see it.

Robb: And it's a small amount of textual data, so it's not even network load issue to worry about, right?

Jimmy Ray: Tiny, tiny bit...

Robb: Isn't it a hash that we're sending out?

Jimmy Ray: Yeah it is. That's all your sending out. And you are telling the client on the other end, the analyzing cloud, what this actually is. So you're not sending another virus across your network. That would be crazy. That would be like carrying around Smallpox in a Coke bottle.

Robb: Also, I believe they have an outbreak control. They have the ability to nominate or take a file. You can right‑click on one of these to send it up for further analysis in their own and they'll detonate that malware within their own sandbox and give you back a deeper analysis from the VRT, the Vulnerability Research Team.

Jimmy Ray: Still very cool.

Robb: They're some smart dudes. And that's what really plays into it. So you get that community immunity when you begin sharing information like you were saying. And it sounds like you've done your homework. This is happening in a safe manner. We're not worried about personal information being shared up. This stuff is not reversible if we're talking about...

Jimmy Ray: A lot of vendors don't even do that. And that's kind of annoying. A lot of people do have that kind of send‑up and they don't do it.

Another important thing to remember about this, and I'll turn right to camera to actually say it because it's really darn important, you know, every virus that has ever been released on the Internet is still on the Internet. We get shots to prevent us from getting diseases and stuff. But that doesn't mean your shot is....

Jimmy Ray: Every single one is on there. Yesterday I actually ran through my honey pot and found viruses way back in the '80s and stuff‑Black Sunday, Surrender No More, Red Button‑still on the Internet that I grabbed in 10 minutes. They are still there.

Robb: You can tell them by the way they dress. (bad joke)

Jimmy Ray: Yeah. You are just inoculated from them.

Robb: And the music that they listen to. No, it's a good point. Like those pictures on Facebook, they're not going away just because you deleted them. They still could be there and they still could be hitting you...

Jimmy Ray: What!

Robb: Yeah. I'll talk about that later. Guys, this is The visibility architecture that we're talking about. What do you have that's going to be able to tell you information not just from your firewall. We started with that conversation. We're coming right back to it next...

Jimmy Ray: you need to just excuse me…

Robb: ...But it's from your mobile devices. It's from your virtual machines. It's from every point on the network that can feed information back up into it. That's what you need to make good decisions.

Next we're going to talk about what are you getting specifically with this ASA+ Source Fire combination to help answer your security problems? That's next.

Segment 4: ASA plus FirePower Service Offering

Robb: To make sure that we haven't actually gotten away from our focus or our goal here, we're talking about ASA now with FirePower services. I think we understand the problems and we understand the threat focus that this brings. But let's get back to the actual hardware.

This looks like, at a glance, we've got something available for the entire line of ASA's?

Jimmy Ray: That's right. Everything is covered, basically, from stem to stern on this entire product line. You really look at all our products here, but then your demarcation point ‑ let me go to red ‑ is about right here where you start looking at where it runs in hardware versus what it runs on software.

Robb: That's strictly what you would expect. It's the amount of information that has to process. So you're making a lot of the same sizing decisions as you would for a normal ASA, correct? I don't think there's any big mystery in terms of how those are...

Jimmy Ray: No, pretty transparent how that stuff ties in and how you actually buy the managers at cross launch. Cisco security manager ASDM is still here. That's the hardware manager piece.

Robb: That's more of an optional component?

Jimmy Ray: Yeah, yeah. That's the hardware manager. Then you have the FireSIGHT appliance on this side where you see some of that cool demo stuff that we tied in here.

Robb: But you can do this one physically or virtually. But just to get into it, I think it's important to understand it's two different managers that you can cross launch within each other, so you can pull up what you need. But first it's that we've got the ASA is one thing. The management is another. That FireSIGHT Management Center is really the key to getting the visibility and that GUI view that we enjoy that we would agree is that visibility architecture, something we're really reaching for.

Jimmy Ray: Yeah, that's a real meat and taters of what you wanted to see there for sure.

Robb: What code level do we need to be at for someone that's got existing ASAs and they are wanting to upgrade?

Jimmy Ray: 9.2.2 is where you need to be on your ASA to run the 5.3.1 code for the FireSIGHT stuff to work.

Robb: So if you are coming from this at an ASA direction or a Source Fire direction, then that would tell you what code level you need to be at to begin blending those two in your own environment.

Jimmy Ray: That's right. There's a couple different ways to actually run that stuff. You can look at two different packages here. Because you don't have to have the ASA to run that. Let's just say that you know you are some lowlife scum that doesn't have our firewall product.

But if you have another competitor product, I get that and stuff. You can actually still run the FirePOWER stuff and that works fine. You just pick whatever mode you want to run it in.

If you want to do a next gen firewall package, then this is how you can do your licensing. The URL filtering piece, the IPS piece, and the AMP piece are all separate add‑ins. You can actually plug all those in. now, when you are doing the IPS stuff, you are looking at either IPS or the IPS with amp. The NGF firewall piece does give you that nice URL filtering mechanism as well. So you can capture the obfuscation inside the URL streams as well.

Robb: Would you agree that any Cisco customers that have not had a chance to play or may not be that familiar with what Source Fire can bring the equation...again, I know we're talking about the firewall, but I look at it as kind of an entry point or a way to begin getting into this.

You get the manager and then it's really a very small step to get a whole lot of better information when you start looking at these amp modules that you could be putting on everything from your mobile devices, on Android or iOS, through to your virtual machines and your servers. So you get a network and a device level view that's going to give you more telemetry data to be able to plot that trajectory. Would you say it is a good place to start?

Jimmy Ray: Yeah. I say that's an excellent place to start because the days of buying a firewall AIPS and that's your security solution are long gone. Security is a system now. That's where Cisco security has really taken the next step. They are looking at, "How do I make this a system level type of operation to tie hardware, software, clients, everything in to make this one blended solution?"

Robb: Where are we when it comes to this type of thing? I would think that from a network design perspective, when you look at how you deploy these, it's not just a device standpoint but a network design standpoint.

We've had long network design arguments over asymmetric traffic and what is the proper way to get the right view so you can get the accuracy that you need? I would assume that there are going to be some differences in deployment guidelines to take care of here ‑ Oh, thank you. It's almost like you know where I was going ‑‑ Is that something we could talk about here?

Jimmy Ray: Not really. Here's what we're going to do. This is a really big topic. There's a ton of information to actually talk about when you are deploying a solution like this, as I'm sure you can tell. So what we're going to do is we're going to have a TechWiseTV workshop that's going to be focused on FirePower deployments.

We're going to dig into the meat and taters. We're going to look at what it takes to set up this stuff. What happened to censors? What happened to all this type of information coming back? What type of load does it put on the network? What's my minimum client entry, licensing fees, costs? How does all this stuff work?

There's a lot that goes into deployment than what we can just draw blocks and stuff just give you a little piece. So TechWiseTV.com, sign up for the Source Fire Deployment Workshop. It might be Source Fire Deployment or FirePower Deployment. Something like that. There's two up there now. We just did one today with Jason Wright with Source Fire Amp. Fantastic workshop. You can go ahead and you can re‑watch that one to kind of preset up this one.

But we are going to actually dedicate a whole hour at looking at deployment guidelines and what it takes to get this booger off and running.

Robb: I'm looking forward to that one. Ideally, if we can get it, I want to give some props and some thanks out to Charlie Stokes. Hopefully he can join us from Network Design Perspective because that dude has got some engineering background that would make any fan of our show jealous.

Quite a bit with his IDS and as far back as he goes with Cisco and how many different things he's been through. And to hear him talk about the value of this in the network was enlightening, and it informed a lot of the stuff that we did here. Did you have anybody you wanted to thank?

Jimmy Ray: Yeah. A big shout out to the folks at McAfee, who actually did a lot of the nice write‑up and the blog work, a lot of the disassembly stuff on Kaptoxa, and also to Brian Krebs for actually bringing that up, having a really nice blog, "Krebs on Security", good blog to check out if you are very Internet security focused. The guy is really knee‑deep in that stuff. Two big props to those folks for sure.

Robb: I'll put that information in the show notes. You can get direct links to that as well as to the workshop as soon as more details on that emerge specifically. But I would check out all the other workshops as well. They are a great way to catch back up.

As we wrap this up and we pull it together, this is the launch of new information. I think we were impressed the first Source Fire show that we did with the amount of integration that was already happening with the amp connectors and the cloud web security, as well as in the email security.

But this feels like a bigger integration step moving forward to add a ton of value in a very stalwart platform with a lot of good history.

Jimmy Ray: That's a perfect way to say it.

Robb: OK. Then I won't ask you to comment any further. A couple of things that we want to call out here. Also, I want to give a shout out to a lot of the information and the data that we get from a threat perspective to understand better is stuff you can access yourself to the midyear security report.

We've been in this since, I think, 2006, 2005. And it's now every six months because of the amount of information that changes on these things. That newest report is available out right now. There are a couple of good videos that John Stewart did on weak links in security, the statistics that we talked about...

Jimmy Ray: Jon Stewart?

Robb: Not that Jon Stewart, our security John Stewart. Still interesting! [laughs] Just a different John Stewart.

Anyway, so check out the midyear security report. We'll link to that as well. The primary thing here, just pulling back out to these, some say marketing terminology, but I think key things to remember is that we are talking about an architecture here that is visibility driven, that is threat focused, as a contrast to being more policy focused. And it does feel like that we've created that visibility architecture.

What I love because I'm a hardware guy, I like the fact that it's platform‑based. We have something physical that we can latch onto. And it's the performance, because something I had not realized until we got deeper into the acquisition a year ago and such and we were looking at this stuff that Source Fire actually has done some extremely amazing things in terms of their passive sniffer capabilities and their measuring traffic and the stackabilty of their own appliances, which are still available and still may be an answer someone is looking for if they've already got another firewall solution but they still want to get into some of these solutions. And that's a possibility as well.

Jimmy Ray: Yeah. Agree.

Robb: Guys, if you think there's anything that we didn't cover quite to the level of detail that you wanted, I, of course, recommend the workshop, because chances are it's going to be covered there. Let us know as you always do on Twitter, Facebook, on the blog as well. Please continue to weigh in. let us know what you are thinking. We will look for you out there at the shows. Keep watching. We'll bring another one to you very soon.